Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ReferenceGrant from Gateway to Secret #791

Merged
merged 10 commits into from
Jun 28, 2023
Merged

ReferenceGrant from Gateway to Secret #791

merged 10 commits into from
Jun 28, 2023

Conversation

kate-osborn
Copy link
Contributor

Proposed changes

Problem: NKG does not support cross-namespace Secret references on Gateway.

Solution: Add support for ReferenceGrants that permit Gateways to reference Secrets in different namespaces. NKG now processes ReferenceGrants and verifies that Gateways with references to Secrets in different Namespaces have a corresponding ReferenceGrant. If no ReferenceGrant exists, the RefNotPermitted reason is used in all the listener conditions (Accepted, Programmed, and ResolvedRefs), and the listener is marked invalid. Secrets will only be resolved if the reference is permitted. No additional validation is needed for ReferenceGrant as it does not correspond to any nginx config. We treat every upsert/delete of a ReferenceGrant as a change. This means we will regenerate nginx config every time a ReferenceGrant is created, updated (generation must change), or deleted, even if it does not apply to the accepted Gateway.

Testing: 100% unit test coverage of new functions, updated existing unit tests, and verified that the applicable conformance test pass.

Closes #694

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@kate-osborn kate-osborn requested a review from a team as a code owner June 26, 2023 21:09
@github-actions github-actions bot added documentation Improvements or additions to documentation enhancement New feature or request labels Jun 26, 2023
sjberman
sjberman reviewed Jun 26, 2023
View reviewed changes
examples/https-termination/README.md Outdated Show resolved Hide resolved
examples/https-termination/reference-grant.yaml Outdated Show resolved Hide resolved
internal/state/graph/gateway_listener.go Show resolved Hide resolved
internal/state/graph/gateway_test.go Outdated Show resolved Hide resolved
internal/state/graph/reference_grant_test.go Outdated Show resolved Hide resolved
internal/state/graph/reference_grant_test.go Outdated Show resolved Hide resolved
@kate-osborn kate-osborn requested a review from sjberman June 27, 2023 17:35
pleshakov
pleshakov reviewed Jun 27, 2023
View reviewed changes
Copy link
Contributor

@pleshakov pleshakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means we will regenerate nginx config every time a ReferenceGrant is created, updated (generation must change), or deleted, even if it does not apply to the accepted Gateway.

do we need to track these things somewhere? so that we know about them when the time comes to reduce number of reloads.

examples/https-termination/cafe-secret.yaml Show resolved Hide resolved
conformance/Makefile Show resolved Hide resolved
internal/state/graph/reference_grant.go Show resolved Hide resolved
internal/state/graph/reference_grant.go Show resolved Hide resolved
internal/state/graph/graph.go Show resolved Hide resolved
internal/state/graph/gateway_test.go Outdated Show resolved Hide resolved
internal/state/graph/graph.go Show resolved Hide resolved
@kate-osborn
Copy link
Contributor Author

This means we will regenerate nginx config every time a ReferenceGrant is created, updated (generation must change), or deleted, even if it does not apply to the accepted Gateway.

do we need to track these things somewhere? so that we know about them when the time comes to reduce number of reloads.

We have this issue which I think covers it: #552

@kate-osborn kate-osborn requested a review from pleshakov June 27, 2023 22:17
@kate-osborn kate-osborn merged commit e6e149d into nginxinc:main Jun 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ciarams87 ciarams87 ciarams87 approved these changes

@sjberman sjberman sjberman approved these changes

@pleshakov pleshakov pleshakov approved these changes

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
NGINX Gateway Fabric
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ReferenceGrant from Gateway to SecretObjectReference
4 participants
@kate-osborn @pleshakov @sjberman @ciarams87